// Pillar Guide · 2026 Update · ~22 min read

CYBER INSURANCE: THE 10 UNDERWRITER CONTROLS EVERY SMALL BUSINESS NEEDS.

By 2026, every major cyber-insurance carrier — Coalition, Travelers, AIG, Chubb, Beazley, AmTrust, Hiscox, Tokio Marine HCC — requires a baseline of 10 specific technical controls before binding or renewing a policy. The exact wording varies by carrier; the underlying list is remarkably consistent. This guide walks through each control, the underwriter rationale, the practical implementation, and how the same 10 controls double as a regulatory floor for HIPAA, the FTC Safeguards Rule, and Florida Bar Rule 4-1.6. If your business has all 10 in place, you're both insurable and audit-defensible.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-01Updated 2026-05-13
Get a Free Controls Assessment →Jump to Guide ↓
// What's In This Guide

TEN CONTROLS, ONE FAQ. ABOUT 4,000 WORDS.

  1. // 01Multi-Factor Authentication (Blocks 99.9% of Credential Attacks)
  2. // 02Endpoint Detection & Response (EDR Replaces Legacy Antivirus)
  3. // 03Email Security Gateway (Beyond Default Microsoft 365 Protection)
  4. // 04Tested Encrypted Backup (3-2-1, Immutable, Quarterly Restore Drills)
  5. // 05Patch & Vulnerability Management (Ransomware Exploits Old Patches)
  6. // 06Security Awareness Training (Annual + Monthly Phishing Simulations)
  7. // 07Written Incident Response Plan (One Page, Phone Numbers First)
  8. // 08Vendor Inventory + BAA / SOC 2 Tracking
  9. // 09Network Segmentation (Limit the Blast Radius)
  10. // 10Privileged Account Management (Domain Admin ≠ Daily Email)
  11. // 11Frequently Asked Questions
// 01

MULTI-FACTOR AUTHENTICATION (MFA).

Why underwriters require it: Microsoft Security data consistently shows MFA blocks approximately 99.9% of automated credential attacks. Carrier loss-frequency data shows roughly 60-80% reduction in claim frequency among policyholders with universal MFA. The single highest-leverage technical control by a wide margin. Every major 2026 underwriter requires MFA on email, remote access, and privileged accounts at minimum; many now require it on every cloud service touching business data.

Practical Implementation

For Microsoft 365 tenants, the modern path is Entra ID Conditional Access policies that enforce MFA on every user, block legacy authentication (a common MFA bypass), and require compliant or hybrid-joined devices for sensitive applications. Microsoft 365 Business Premium includes the Conditional Access licensing. Authenticator app (push or TOTP) is preferred over SMS, which is vulnerable to SIM-swap attacks — underwriter questionnaires are increasingly specific about this.

Common Failure Modes

The most common audit finding: MFA enabled but not enforced — users can still log in without it. Second most common: MFA on regular users but not on global administrators (the most valuable accounts on the tenant). Third: legacy authentication left enabled, allowing IMAP/POP/SMTP clients to bypass MFA. Conditional Access policies that block legacy auth fix this categorically.

// 02

ENDPOINT DETECTION & RESPONSE (EDR).

Why underwriters require it: Legacy signature-based antivirus catches known malware. EDR catches behavior — the in-memory injection, the lateral movement, the encryption pattern that precedes ransomware detonation. By 2026, every credible cyber underwriter expects EDR (not just AV) on every workstation and server. Several carriers specifically list legacy AV-only as a coverage exclusion or surcharge trigger.

Acceptable EDR Products in 2026

The carrier-accepted list typically includes: Microsoft Defender for Business (or Defender for Endpoint), CrowdStrike Falcon, SentinelOne, Sophos Intercept X, ESET Inspect, Bitdefender GravityZone, Huntress (often paired with another EDR), and Cisco Secure Endpoint. Underwriters generally do not accept Norton, McAfee Consumer, Webroot Endpoint Protection, or Windows Defender (the free consumer product) as a substitute. The distinction is behavioral detection and centralized response — not the product name.

The 24/7 Response Layer

EDR generates alerts. Those alerts need humans behind them. For most small businesses the practical path is an EDR product backed by a managed Security Operations Center (SOC) that triages alerts 24/7 and takes containment action when something detonates. Simply IT deploys Defender for Business with SOC monitoring as standard on the Simply Secure ($125/user/mo) and Simply Compliant ($150/user/mo) tiers.

// 03

EMAIL SECURITY GATEWAY.

Why underwriters require it: Roughly 90% of cyber incidents start with email — phishing for credentials, BEC for wire fraud, malicious attachments for initial-access malware. The default protection bundled with Microsoft 365 Business Basic/Standard is a starting point, not a finished posture. Underwriters increasingly require an additional email-security layer with specific capabilities the default doesn't provide.

What the Gateway Should Do

The capabilities that matter: attachment sandboxing (detonate suspicious files in a virtual environment before delivery), URL rewriting and time-of-click protection (re-checking links when clicked, not just at delivery), display-name impersonation detection (catches “CEO” spoofs), homoglyph-domain detection (catches “rnicrosoft.com” in place of “microsoft.com”), DMARC enforcement on the business's own domain (prevents direct spoofing), and external-sender banners on the message preview.

Defensible Products

Microsoft Defender for Office 365 (Plan 1 or Plan 2 — Plan 2 includes Threat Explorer and Attack Simulation), Proofpoint Essentials, Mimecast, Avanan/Check Point, Abnormal Security, IRONSCALES, and Barracuda Email Protection. Most are SaaS layered in front of (or alongside) Microsoft 365 Exchange Online. For most small businesses, Microsoft Defender for Office 365 Plan 1 (included with Business Premium) is adequate; firms with specific BEC exposure (real-estate closings, CPA wire activity, estate distributions) benefit from a specialty layer like Abnormal or IRONSCALES.

// 04

TESTED ENCRYPTED BACKUP.

Why underwriters require it: Tested backup is the single most important post-incident recovery control. The ransomware threat model assumes the attacker will find and encrypt or delete every accessible backup — so the backup must be either offline, immutable, or both, and it must be tested. The 3-2-1 rule (3 copies, 2 different media types, 1 off-site) is the floor; modern best practice adds immutable cloud retention and quarterly tested restores.

What “Tested” Actually Means

Underwriters increasingly distinguish between “backup configured” (the backup job ran) and “backup tested” (a real recovery from the backup actually worked). Quarterly tested restores mean: pick a server or a file share, restore it to an isolated environment, validate the data is usable, document the result, repeat next quarter. A backup that has never been restored is not a backup — it's a hope.

What to Back Up

Every server, every database, every locally hosted application, every file share — image-based where possible for fastest recovery. For Microsoft 365 tenants, third-party backup of Exchange Online, SharePoint, OneDrive, and Teams is increasingly expected by underwriters because Microsoft's native retention is not a true backup against malicious deletion. Defensible products: Datto, Veeam (with Veeam Cloud Connect or Veeam Vault), Acronis, N-able Cove, Axcient, and Microsoft 365 backup specialty tools (Barracuda Cloud-to-Cloud, AvePoint, Spanning).

// 05

PATCH & VULNERABILITY MANAGEMENT.

Why underwriters require it: CISA's Known Exploited Vulnerabilities catalog consistently shows that the patches ransomware actors exploit have been available for weeks or months at the time of the incident. Most ransomware does not exploit zero-days — it exploits the patch the IT team didn't deploy. Carrier loss data tracks closely to patch-cadence reporting.

What Good Looks Like

Operating-system patches (Windows, macOS) applied on a controlled schedule — typically within 14-30 days for non-critical patches, faster for emergency CVEs. Browser patches (Chrome, Edge, Firefox) on auto-update with reporting. Third-party application patches (Adobe Reader, Java, Zoom, Slack, the tax-software stack, the law-firm DMS) tracked and updated. Internet-facing systems (firewalls, VPN concentrators, remote-access gateways) patched aggressively — these are the highest-leverage targets for attackers.

The RMM Pattern

Small businesses don't implement patch management manually; they implement it through their managed IT provider's Remote Monitoring & Management (RMM) platform. The RMM enforces the patching policy, reports the compliance status, and surfaces the exceptions. Simply IT runs ConnectWise/NinjaOne/Datto-class RMM with documented patch policies, monthly compliance reporting, and emergency-CVE override procedures.

// 06

SECURITY AWARENESS TRAINING.

Why underwriters require it: Trained users click less. Trained users report suspicious email. Trained users follow the call-back protocol on wire requests. Carrier loss data shows meaningful reductions in BEC and phishing-driven incidents at policyholders with documented training programs.

Annual + Ongoing

The 2026 baseline: annual training for every workforce member (new-hire training within the first week, refresher annually for everyone), plus monthly phishing simulations to keep the muscle warm. Documented completion records. A sanctions policy — in writing — for repeat clickers (typically progressive: remedial training, supervisor notification, formal HR involvement after three failures in a rolling year).

Defensible Platforms

KnowBe4, Proofpoint Security Awareness, Hoxhunt, Cofense, Wizer, Curricula (now Huntress), Living Security. KnowBe4 is the broadest small-business choice and integrates well with Microsoft 365. Industry-specific phishing simulations (real-estate closing fraud, CPA W-2 phishing, medical practice patient-data phishing) deliver outsized training value compared with generic templates.

// 07

WRITTEN INCIDENT RESPONSE PLAN.

Why underwriters require it: The first hour after a suspected breach determines most of the loss outcome. A written IR plan with named roles and phone numbers turns an adrenaline-fogged emergency into a sequence of pre-decided steps. Carriers ask for the plan on the questionnaire and may request a copy at renewal.

What the Plan Should Contain

One page is enough for small businesses — sometimes better, because the plan needs to be findable and readable during stress. The contents: (1) the cyber insurance breach hotline at the top in 18-point font; (2) the IT provider's after-hours phone number; (3) the named incident commander (typically the owner or general manager); (4) the first-60-minute checklist (call insurance, disconnect-don't-power-down, document, do not pay or negotiate without breach coach); (5) the named alternate decision-makers if the incident commander is unavailable; (6) the location of physical backups; (7) the date of last update.

Where the Plan Lives

Posted in a place not dependent on the IT environment that may be down: printed and laminated at the owner's desk, taped inside the front of the operations binder, in a physical safe, on a phone. A plan that lives only in SharePoint is unavailable during the incident SharePoint is unavailable. Annual review and update.

// 08

VENDOR INVENTORY + BAA / SOC 2 TRACKING.

Why underwriters require it: Third-party / vendor compromise is one of the fastest-growing incident categories. The business's exposure isn't just its own systems — it's every SaaS, every cloud provider, every payroll vendor, every billing service. Underwriters want to see that the business has inventoried that surface and is monitoring it.

What the Inventory Should Contain

For every vendor with access to business data: name, service description, data category accessed, current contract on file (date, renewal date), security attestation on file (SOC 2 Type II if applicable, BAA if PHI is involved, security questionnaire response otherwise), named relationship owner. The inventory is a living document — reviewed at least annually and updated whenever a new vendor is added.

Why This Matters Beyond Insurance

HIPAA Business Associate Agreement obligations (45 CFR 164.314), FTC Safeguards service-provider oversight (16 CFR 314.4(f)), Florida Bar Rule 4-1.6 cloud-storage diligence (Ethics Opinion 12-3) — all require effectively the same inventory. The cyber-insurance underwriter just made it a hard renewal deliverable.

// 09

NETWORK SEGMENTATION.

Why underwriters require it: When ransomware lands on one workstation, the question is whether it can encrypt every other workstation, every server, every connected device. Network segmentation limits the blast radius — a single compromised endpoint can't reach the servers, can't reach the backup target, can't reach the medical-device network, can't reach the guest WiFi printer.

The Practical Pattern for SMBs

For most small businesses, segmentation looks like: (1) workstation VLAN separate from server VLAN; (2) guest WiFi VLAN with no route to production; (3) IoT/printer VLAN with no route to production; (4) for medical practices: separate VLAN for medical devices and modalities; (5) for firms with locally hosted servers: backup target on a separate network not directly reachable from workstations. A business-grade firewall (Fortinet, Sophos, Cisco Meraki, WatchGuard, SonicWall) handles the segmentation natively.

The Zero-Trust Direction

For cloud-first businesses without an on-premise server, segmentation increasingly happens at the identity layer rather than the network layer — Conditional Access policies that restrict who can access what from where on what kind of device. The destination is the same: limit the blast radius of any one compromise.

// 10

PRIVILEGED ACCOUNT MANAGEMENT.

Why underwriters require it: When an attacker lands a phishing email on a regular user, the damage is bounded. When the attacker lands a phishing email on a domain administrator who also reads email on the same account, the damage is unbounded. Privileged Account Management (PAM) means privileged credentials are treated as a different class of asset.

The Separation Principle

Every IT person should have at least two accounts: a regular user account they use for email, browsing, and day-to-day work; and a separate privileged account they use only when administering systems. The privileged account does not receive email, does not browse the web, and does not stay logged in. MFA is enforced. Activity is logged and monitored. Service accounts get their own treatment — ideally credential-vaulted (a real PAM product) but at minimum with strong password rotation and monitored access.

Practical Implementation for SMBs

Small businesses don't typically deploy enterprise PAM products (CyberArk, BeyondTrust). The practical implementation: separate global-admin accounts in Microsoft 365 Entra ID; Privileged Identity Management (PIM, included in Microsoft 365 E5 or Entra ID P2) to make admin access just-in-time and approval-required; managed-IT provider best practices around vaulted service-account credentials and break-glass account procedures.

// 11

FREQUENTLY ASKED QUESTIONS.

Why these 10 specifically?+
These 10 controls represent the cross-section that emerged from carrier loss data between 2019 and 2025. Every major underwriter (Coalition, Travelers, AIG, Chubb, Beazley, AmTrust, Hiscox, Tokio Marine HCC) independently arrived at substantially the same list after analyzing which controls actually correlated with reduced claim frequency and severity. Multi-factor authentication alone correlates with a roughly 60-80% reduction in claim frequency in published carrier studies. EDR, tested backup, and email-security gateway round out the top-four risk reducers. The remaining six controls address either residual risk or post-incident recoverability.
Do all carriers require all 10? Are they different?+
The exact wording on each carrier's questionnaire varies, but every major carrier in 2026 asks about all 10 in some form. Some carriers split MFA into multiple line items (mailbox MFA, remote-access MFA, privileged-account MFA). Some bundle patch management and vulnerability management into one question; others ask separately. Some require attestation only; others require evidence (screenshots, vendor contracts, policy documents). Coalition and Cowbell tend to ask for the most technical detail. Travelers and Chubb lean toward attestation with audit rights. Practically: if a business has all 10 implemented, every carrier questionnaire becomes answerable.
What happens if I'm missing some at renewal?+
Three things, in order of likelihood. First, premium increase — carriers routinely apply 20-40% surcharges for missing MFA, missing EDR, or missing tested backup. Second, coverage exclusions — some carriers exclude ransomware-related losses entirely if MFA is not in place on email and remote access. Third, non-renewal — for repeat shortfalls or larger gaps, the carrier simply declines to renew. The market has hardened significantly since 2020, and carriers are no longer afraid to walk away from underwhelming risks.
How big a premium impact does each control have?+
Carrier disclosures and broker data suggest rough ranges: MFA (15-30% premium impact), EDR (10-20%), tested backup (10-15%), email-security gateway (5-10%), security awareness training (5-10%). The compounding is real — a business that achieves all five top-tier controls can see 40-60% lower premium than an otherwise identical business missing them. Below those, the marginal premium impact of any single additional control is smaller, but the coverage-limit and exclusion impact can be significant.
What coverage limits should a Florida SMB carry?+
Industry guidance for small businesses in 2026 is roughly $1M-$3M aggregate limit for businesses under 25 employees, $3M-$5M for businesses 25-100 employees, and $5M+ for businesses above that or with elevated risk (PHI, financial-services, e-commerce, large customer-data volumes). Cost-of-breach studies from IBM and Ponemon consistently report SMB average breach costs in the $200K-$1M range — meaning under-limited policies have a real probability of exhausting coverage. Discussion with a specialty broker is worth more than a generic limit recommendation.
What's the difference between cyber and E&O coverage?+
Cyber liability coverage addresses first-party costs (forensics, notification, credit monitoring, business interruption, ransomware payment if permitted, restoration) and third-party costs (lawsuits from affected customers, regulatory defense, fines where insurable). Errors & Omissions (E&O) / professional liability addresses claims that the business's professional services failed to meet the expected standard of care. A medical practice, CPA firm, or law firm typically needs both. Some carriers bundle them; the coverages are conceptually distinct and the underwriter questions differ.
What is a “ransomware exclusion” and should I worry about it?+
Yes. Several carriers in 2022-2024 introduced “ransomware sublimits” (capping ransomware loss at, say, 25% of the policy aggregate) or outright “ransomware exclusions” for policyholders missing specific controls. Most common trigger: missing MFA on email or remote access, missing offline/immutable backup, or missing EDR. Read the policy. The exclusion or sublimit is typically buried in endorsements rather than the policy declarations. If you can't find clear ransomware coverage at full limits, the policy is much weaker than the limit-on-the-front-page suggests.
How does pre-approval of forensic firms work?+
Most cyber-insurance carriers require the policyholder to engage carrier-approved forensic firms, breach coaches, and notification vendors in the event of an incident — using a non-approved vendor without prior carrier consent can void coverage for that vendor's fees. The carrier's breach hotline routes you to approved firms within hours. The lesson: before an incident, read the policy and know the carrier's breach hotline number. Post the number on the incident-response plan.
What are the notification timeline obligations?+
Three overlapping clocks. (1) Insurance: most policies require notification of the carrier within 24-72 hours of discovery. Late notice can void coverage. (2) Federal regulator: HIPAA gives 60 days (45 CFR 164.400-414), FTC Safeguards Rule gives 30 days (16 CFR 314.4(j)). (3) State: Florida Information Protection Act (F.S. 501.171) requires notification within 30 days of discovery for breaches affecting 500+ Florida residents. The clocks all start on discovery, not confirmation. Time-to-discovery matters significantly to legal and insurance exposure.
How is Simply IT different on cyber-insurance readiness?+
Simply IT is veteran-owned, headquartered in Ocala FL, and treats insurance-readiness as a core deliverable. Standard onboarding for every client includes implementation and attestation evidence for all 10 controls covered in this guide, a written information-security policy, written incident-response plan with the breach-hotline placeholder, vendor inventory with SOC 2/BAA tracking, and the documentation a broker or underwriter needs to renew without surprises. Same flat monthly fee on Simply Secure ($125/user/mo) or Simply Compliant ($150/user/mo); and no long-term contracts.
// Related Resources

CONTINUE READING.

Industry
Medical Practice IT →
Industry
Law Firm IT →
Industry
Accounting Firm IT →
Solution
Cybersecurity Services →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free Controls Assessment →
READY TO GET THE 10 CONTROLS IN PLACE BEFORE RENEWAL?

Get a free cyber-insurance readiness assessment from a veteran-owned managed IT provider headquartered in Ocala, FL. We'll review your current posture against all 10 underwriter controls, identify the gaps, and give you a written remediation roadmap your broker can actually use at renewal — with no obligation.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003